babyishfandomcom-20200214-history
Flexible single master operation
Domain-wide FSMO Roles: Every domain in an Active Directory forest must contain one of each of the following FSMO roles: * The Relative ID Master allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains. * The Infrastructure Master maintains security identifiers, GUIDs, and DNS for objects referenced across domains. Most commonly it updates user and group links.This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed, so the machine holding this role doesn't need to have much horsepower at all. * The PDC Emulator operations master role processes all password changes in the domain. Failed authentication attempts due to a bad password at other domain controllers are forwarded to the PDC Emulator before rejection. This ensures that a user can immediately login following a password change from any domain controller, without having to wait several minutes for the change to be replicated. The PDC Emulator Operations Master role must be carefully sited in a location to best handle all password reset and failed-authentication forwarding traffic for the domain. Forest-wide FSMO Roles: Regardless of the number of domains in an Active Directory forest, the following FSMO roles exist only once: * The Schema Master maintains all modifications to the schema of the forest. The schema determines the types of objects permitted in the forest and the attributes of those objects. * The Domain Naming Master tracks the names of all domains in the forest and is required to add new domains to the forest or delete existing domains from the forest. It is also responsible for group membership. Transferring or Seizing FSMO Roles Transferring or seizing an FSMO role can be done with the ntdsutil command on a Windows 2000 or Windows Server 2003 Server computer. Full Details of the process can be found in Microsoft KB255504http://support.microsoft.com/kb/255504 Moving FSMO Roles Between Domain Controllers By default AD assigns all operations master roles to the first DC created in a forest. If new domains are created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. When an FSMO role is transferred to a different DC, the original FSMO holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the original FSMO holder experienced an unrecoverable failure, you can force another DC to seize the lost roles; however, there is a risk of data loss because of the lack of communications. If you seize an FSMO role instead of transferring the role, that domain controller can never be allowed to host that FSMO role again. Corruption can occur within Active Directory. FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool. Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. For example, the Infrastructure Master role must not be housed on a domain controller which also houses a copy of the global catalog in a multi-domain forest (unless all domain controllers in the domain are also global catalog servers), while the Domain Name Master role should be housed on a DC which is also a GC. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon. The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Name Master should also be on the same DC. To provide fault tolerance, there should be at least 2 domain controllers available within each domain of the Forest. Furthermore, the Infrastructure Master role holder should not also be a Global Catalog Server, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment.(see "Phantoms, Tombstones and the Infrastructure Master", 248047) Active Directory Support Tools There are support tools that can test Active Directory to make sure the components are functioning correctly within the Forest. These tools can tell you the health of your Active Directory as they verify the various system components. The tools can be downloaded from the Microsoft web site or obtained from the Windows Server CD. References / Riförènses / 參考資料 External links / Ikstörnol liŋks / 外部連結 * http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic32810.aspx * http://forums.techarena.in/active-directory/1032022.htm * Microsoft Support: Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Category:Aktiv Direktori